On November 18th, 2025, we received a submission for an unauthenticated Remote Code Execution vulnerability in Advanced Custom Fields: Extended, a WordPress plugin with more than 100,000 active installations. This vulnerability can be leveraged to execute code remotely.
Props to dudekmar who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $4,290.00 for this discovery. Our mission is to secure WordPress through defense in depth, which is why we are investing in quality vulnerability research and collaborating with researchers of this caliber through our Bug Bounty Program. We are committed to making the WordPress ecosystem more secure through the detection and prevention of vulnerabilities, which is a critical element to our multi-layered approach to security.
Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on November 20, 2025. Sites using the free version of Wordfence will receive the same protection 30 days later on December 20, 2025.
We provided full disclosure details to the ACF Extended team instantly through our Wordfence Vulnerability Management Portal on November 20, 2025. The vendor released the patch the next day, on November 21, 2025. We would like to commend the ACF Extended team for their prompt response and timely patch.
We urge users to update their sites with the latest patched version of Advanced Custom Fields: Extended, version 0.9.2 at the time of this publication, as soon as possible.
Vulnerability Summary from Wordfence Intelligence
The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Remote Code Execution in versions 0.9.0.5 through 0.9.1.1 via the prepare_form() function. This is due to the function accepting user input and then passing that through call_user_func_array(). This makes it possible for unauthenticated attackers to execute arbitrary code on the server, which can be leveraged to inject backdoors or create new administrative user accounts.
Technical Analysis
Advanced Custom Fields: Extended is an addon WordPress plugin for the Advanced Custom Fields plugin, which adds fields, a form manager and much more.
Examination of the code reveals that the plugin uses the prepare_form() function in the acfe_module_form_front_render class to render forms.
function prepare_form($form){
if(!$form){
return false;
}
// field values
// we must inject values earlier than 10 so custom check in acf/prepare_field can be done
// this fix an issue with Select 'custom value' which is checked on acf/prepare_field/type=select
add_filter('acf/prepare_field', array($this, 'prepare_field_values'), 9);
// field settings
add_filter('acf/prepare_field', array($this, 'prepare_field_settings'), 15);
// field attributes
add_filter('acf/prepare_field', array($this, 'prepare_field_attributes'), 15);
// uploader (always set in case of multiple forms on the page)
acf_disable_filter('acfe/form/uploader');
if($form['settings']['uploader'] !== 'default'){
acf_enable_filter('acfe/form/uploader');
acf_update_setting('uploader', $form['settings']['uploader']);
}
// custom instruction placement
acf_enable_filter('acfe/override_instruction');
acf_disable_filter('acfe/instruction_tooltip');
acf_disable_filter('acfe/instruction_above_field');
if($form['attributes']['fields']['instruction'] === 'tooltip'){
acf_enable_filter('acfe/instruction_tooltip');
}elseif($form['attributes']['fields']['instruction'] === 'above_field'){
acf_enable_filter('acfe/instruction_above_field');
}
// generate render
if($form['render']){
// added mapped fields to context
// this allow {render:field_name} to first check fields of the mapped field groups
$mapped_fields = $this->get_form_fields_keys($form);
acfe_add_context('mapped_fields', $mapped_fields);
// check if render has {render:submit} tag
$has_render_submit = false;
// array render
if(is_array($form['render'])){
$html = array_map(function($row){
return "{render:$row}";
}, $form['render']);
$html = implode('', $html);
// assign new render
$form['render'] = $html;
// function render
}elseif(is_callable($form['render'])){
ob_start();
call_user_func_array($form['render'], array($form));
The function used to render the form is defined using the ‘form[render]’ parameter retrieved from user input, and the data passed to the function is retrieved from the ‘form’ parameter, which is also supplied via user input. Unfortunately, there is no restriction on the function call, which means that the attacker can call an arbitrary PHP function through the ‘form[render]’ parameter with arbitrary PHP function parameters passed through the ‘form’ parameter making arbitrary code injection possible.
One example of leveraging this vulnerable function call is to achieve privilege escalation: an attacker can use the wp_insert_user() function to create a new administrator user.
As with all remote code execution vulnerabilities, this can lead to complete site compromise through the use of webshells and other techniques.
The Patch
The vendor patched this issue by completely removing this user input and call_user_func_array() function-based render part from the prepare_form() function.
Disclosure Timeline
November 18, 2025 – We received the submission for the Remote Code Execution vulnerability in Advanced Custom Fields: Extended via the Wordfence Bug Bounty Program.
November 20, 2025 – We validated the report and confirmed the proof-of-concept exploit.
November 20, 2025 – Wordfence Premium, Care, and Response users received a firewall rule to provide added protection against any exploits that may target this vulnerability.
November 20, 2025 – Full disclosure details were sent instantly to the vendor through our Wordfence Vulnerability Management Portal.
November 20, 2025 – The vendor acknowledged the report and began working on a fix.
November 21, 2025 – The fully patched version of the plugin, 0.9.2, was released.
December 20, 2025 – Wordfence Free users will receive the same protection.
Conclusion
In this blog post, we detailed a Remote Code Execution vulnerability within the Advanced Custom Fields: Extended plugin affecting versions 0.9.0.5 through 0.9.1.1. This vulnerability allows unauthenticated threat actors to execute malicious code on the server. The vulnerability has been addressed in version 0.9.2 of the plugin.
We encourage WordPress users to verify that their sites are updated to the latest patched version of Advanced Custom Fields: Extended as soon as possible considering the critical nature of this vulnerability.
Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on November 20, 2025. Sites using the free version of Wordfence will receive the same protection 30 days later on December 20, 2025.
If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.
The post 100,000 WordPress Sites Affected by Remote Code Execution Vulnerability in Advanced Custom Fields: Extended WordPress Plugin appeared first on Wordfence.
